Hi Cesar

Thanks for the reply.

I am pretty much certain that there is no asymmetric flow. The current setup is using CSM in bridged mode and we are migrating to ACE. The FWSM also shows hits in the current setup between Web and App zones.

My colleague found this post which seems to have been an identical issue.

https://supportforums.cisco.com/message/3137301

However there is no explanation as to why we would need to apply the service-policy on the server side of the second BVI. It does appear to have fixed the issue, but there is no real explanation as to why it would.. it seems nonsensical. Any comments or understanding to share on this method?

We have used NAT previously for servers which need to call the a client side VIP, but this is only applicable when there is one BVI not two. It should route, via FWSM?

Thanks

Martin

Hi Martin,

The traffic will enter the ACE on BVI20 so we need to match the traffic at that moment, otherwise the ACE is not going to have a hit in the VIP.  That is the reason

Hi Cesar

I'm still confused... If I had a switch with two VLANs with a firewall being the device routing between the two VLANs, I would expect that traffic from one VLAN would need to route through the firewall to reach the other. For ACE this doesn't seem to be the case, I'm unclear why it's allowed to shortcut the firewall?

For example I could be running different types or inspection on my "firewall", which this traffic would then be allowed to circumvent it.

Thanks

Martin

Hi Martin,

Please read below.

Autogenerating a MAC Address for a VLAN Interface

By default, the ACE does not allow traffic from one context to another  context over a transparent firewall. The ACE assumes that VLANs in  different contexts are in different Layer 2 domains, unless it is a  shared VLAN. The ACE allocates the same MAC address to the VLANs.

When you are using a firewall service module (FWSM) to bridge traffic  between two contexts on the ACE, you must assign two Layer 3 VLANs to  the same bridge domain. To support this configuration, these VLAN  interfaces require different MAC addresses.

To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:

mac address autogenerate

For example, enter:

host1/Admin(config-if)# mac address autogenerate

Hope that helps.

regards,

Ajay Kumar

Hi Ajay

I understand this, but I am talking about two BVI in the same context with a FWSM operating at layer 3 (not transparent)

In my example I have FWSM interfaces:

VLAN 10 - ip address 10.10.0.1 255.255.255.0

VLAN 20 - ip address 10.20.0.1 255.255.255.0

With BVI 10 and 20 relating to the above. The link I posted previously says...

If I have something on the server side of VLAN 20 which wishes to call a VIP in the VLAN 10 IP range, then it is necessary to apply the service-policy for the VIP in VLAN 10 to the server side interface of VLAN 20. This means the VIP is in a completely different IP subnet from that assocsiated with the BVI. It also means the traffic doesn't pass through my routed FWSM but means the traffic hops from one BVI to another on the ACE?

Thanks

Martin

Yes true. When you apply policy to a particular VLAN it advertises its VIP over that vlan and start listening for that VIP.

You can have the same VIP listening on multiple VLAN.

I will try to get an example but you are in right direction.

ACE acts as a patch of two vlans.

Ideally if you are designing FWSM with L3 mode. It should be like this

Client VLAN >> (Firewall VLAN ---- ACE VLAN) -- common vlan >> Server VLAN

Say VLAN 30 >> VLAN 20 >> VLAN 10

If you are trying to Publish a VIP which belongs to VLAN 20 to VLAN 10. ACE will start listening to VIP on this VLAN and then any packet coming to that VLAN will match the class map and policy and the load balancing decision will be taken based on that.

I know you will say that how two different subnet will communicate but in this case server will send any packet to default gateway which is ACE and ACE knows it is suppose to listen for that VIP on VLAN 10.

If you are worried about security then remember Client traffic cannot bypass the firewall. It is just the server traffic which is bypassing the firewall which is already in the trusted zone.

Hope that helps.

regards,

Ajay Kumar

Hi Ajay

I have drawn a diagram to try and help. On the left I have what I would expect, if a server in VLAN21 wanted to call a VIP in VLAN10 I would expect it would use it's default gateway to route to the FWSM, pass through the firewall and then hit the VIP using the client side VLAN10. What I have read and what appears to work is that you must apply the service policy, including the VIP for VLAN 10, on the server side of the other BVI in this case VLAN 21. In this case I do not believe the traffic has to pass through the FWSM to get from the server in VLAN21 to the VIP originally in VLAN10 and onward to the servers hosted in VLAN11?

Please note both BVI and all four VLAN are in the same ACE context.

Thanks

Martin

Question : I would expect, if a server in VLAN21 wanted to call a VIP in VLAN10 I  would expect it would use it's default gateway to route to the FWSM

Answer: If the default gateway on servers in vlan21 is pointing to ACE. This is not going to happen. If the default gateway is pointing to FWSM then only the way you expect will work.

Usually when the ACE is in routed mode all the server point it's default gateway to ACE. In that case if the packet reach on ACE ( default gateway) looking for a virtual IP then it will process the packet for that VIP instead of forwarding it to FWSM.

Question : What I have read and what appears to work is that you must apply the  service policy, including the VIP for VLAN 10, on the server side of the  other BVI in this case VLAN 21. In this case I do not believe the  traffic has to pass through the FWSM to get from the server in VLAN21 to  the VIP originally in VLAN10 and onward to the servers hosted in  VLAN11?

Yes your understanding is correct the traffic will not pass through FWSM. It will go straight to the ACE and ACE will load balance the traffic to VLAN 11.

Thats the reason why you apply policy on VLAN 21 as well. So that packet will be matched on vlan21 and load balancing decision will be taken.

Hope that helps

regards,

Ajay Kumar

HI Ajay

The servers in VLAN21 do have their default gateway pointing at FWSM.

It seems like the use of the service-policy on VLAN21 to load balance to servers in VLAN11 is just the way it can work... I understand that this configuration works on the ACE.

What I guess my question is now:

Is applying the service-policy to VLAN21 the only way to have it work or will the traffic passing (bridged) through BVI20 upto FWSM and routed down to VLAN10 to hit the service-policy work also? I ask as we've been unable to get this second option, and the way I'd prefer it to work, working?

Many Thanks

Martin

Is applying the service-policy to VLAN21 the only way to have it work or  will the traffic passing (bridged) through BVI20 upto FWSM and routed  down to VLAN10 to hit the service-policy work also? I ask as we've been  unable to get this second option, and the way I'd prefer it to work,  working?

Ideally it should work that way as well. The idea is the packet should reach the ACE on VLAN 10.

If the FWSM is able to NAT it and forward to ACE it should work.

few things to check.

1) Check if the packet is going to FWSM or not. Access list or capture on firewall will show it.

2) Check if FWSM is natting the packet to VIP ip or not? ( Check if NAT is configured for that subnet range)

If the packet is getting natted and reaching ACE it should work.

regards,

Ajay Kumar